One of our research tools flagged php.net as distributing malware. The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website, instead of ad network vector that we typically see in more popular sites.

According to Alexa, php.net is the 228th most visited site in the world, so it is likely that quite a few systems were compromised while it was serving up malware.

Earlier today Googles stop-badware system caught this as well and flagged php.net as distributing malware, warning users who’s browsers support it not to visit the site, etc. Interestingly enough, the Google diagnostic page now seems to say otherwise and there seems to be some controversy and disbelief that a site like php.net could be doing this, and as we have a capture of it we thought we’d share to remove all doubt.

We’re a week or two away from launching a new tool to allow for better visualization and exploration of malicious sites, so stay tuned, but for now here is a link to the pcap for those of you who’d like to analyze it.

Nice article! Important point, though: StopBadware is an independent nonprofit organization. Google gives their data to us, not the other way around! Google’s Safe Browsing technology caught the suspicious code on php dot net. We don’t curate a blacklist or make malware warnings.

I just extracted the exe from the PCAP you provided using wireshark and foremost. The filename and MD5 are as follows:
852c225ab9898102f2aee6b8d2abc501 00000000.exe
Running the MD5 through virustotal returns “file not found” I am uploading the file to virustotal right now to see if its something known.

my guess for the reason behind this is someone cracked credentials acquired from a database obtained via the recent vbulletin exploiting spree, and found php devs reusing credentials thus permitting them access to the box to carry out these actions